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ABSTRACT 



A system and method for performing software patches for 
embedded system devices in which the firmware of the 
system is included in non-alterable storage of the device. 
The patch mechanism provides a means for finding firmware 
errors, prototyping fixes to the errors and/or prototyping new 
functionality of the firmware of the embedded system. The 
system comprises an embedded system device coupled to an 
external memory. The device includes a non-alterable 
memory, including firmware, coupled to a processor. The 
device further includes a relatively small amount of patch 
RAM within the device also coupled to the processor. The 
patches are loaded from the external memory into the patch 
RAM. The device further includes a means for determining 
if one or more patches are to be applied. If the device detects 
a patch to be applied, the system loads the patch from the 
external memory into the patch RAM. The device also 
includes a breakpoint register. When the value of the pro- 
gram counter of the processor equals the value in the 
breakpoint register, a patch insertion occurs, i.e., the pro- 
cessor deviates from executing firmware to executing patch 
instructions. Preferably, the embedded system device com- 
prises a single integrated circuit. The processor may include 
a plurality of breakpoint registers. The patch may be 
encrypted for increased security. Multiple patches may be 
chained together, and run-time patch replacement is con- 
templated. 

34 Claims, 7 Drawing Sheets 
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SYSTEM AND METHOD FOR PERFORMING 
SOFTWARE PATCHES IN EMBEDDED 
SYSTEMS 

FIELD OF THE INVENTION 

The present invention relates to embedded systems and in 
particular to software patches of embedded systems with 
non-alterable firmware. 

DESCRIPTION OF THE RELATED ART 

As integrated circuit technology has advanced at a rela- 
tively rapid rate, embedded systems incorporating integrated 
circuit devices have become more and more commonplace. 
Examples of embedded system devices are intelligent con- 
trollers for televisions, automobile engines, microwave 
ovens, telephone answering machines, medical equipment, 
etc. The embedded system devices typically comprise a 
processor, such as a microprocessor, micro-controller, or 
digital signal processor (DSP), and storage elements, such as 
read only memory (ROM). The storage elements typically 
include software which the processor executes to perform 
functions of an application, such as those previously listed. 
The device further includes application logic to interface 
with the television, automobile engine, telephone, or other 
application to gather data from and/or control the applica- 
tion. 

Typically, embedded system devices employ permanent 
storage elements, such as ROM, to store their software. 
Permanent storage elements are used because many embed- 
ded systems do not reside in a computer system, or similar 
system. That is, the systems do not have secondary perma- 
nent storage, such as a disk or tape drive, to store the 
embedded system software. Hence, permanent storage is 
required on the embedded system device itself in order to 
store the embedded system software, since the embedded 
system software cannot be stored elsewhere within the 
system. Most economical forms of solid state permanent 
storage, such as ROM, are non- alterable storage elements. 
The embedded system software is frequently referred to as 
"firmware", since software is permanently stored in the 
hardware of the system. 

Historically, although the firmware of various embedded 
systems may have been sophisticated, i.e., employing 
sophisticated DSP algorithms for example, typically, firm- 
ware is not complex, relatively speaking. That is, firmware 
is traditionally relatively small, and therefore the likelihood 
of firmware errors, or bugs, has been relatively small. 
However, contemporary embedded systems are rapidly 
increasing in complexity, which is increasing the likelihood 
of programming errors in the firmware, which is included in 
non-alterable storage. 

Furthermore, in rapidly evolving marketplaces in which 
the embedded systems are commonly sold, it is often desir- 
able to add new features to an existing product to increase 
functionality. Given the permanent nature of the firmware, 
lengthy cycles are involved in making a firmware change 
during the process of developing the new features. 

Traditional techniques of adding new functionality to a 
firmware system require the existence of special logic which 
either includes its own random access memory (RAM) for 
firmware storage, or is capable of being interfaced to exter- 
nal RAM for firmware storage. An example of this special 
logic is an In-Circuit Emulator (ICE). In many instances an 
ICE is simply not a viable alternative, as this could require 
the development of a special purpose part at enormous 
expense. This is also uneconomical for embedded systems in 
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particular as there will likely not be a market for sales of the 
debug part to help mitigate the development costs. 

It is also often desirable to be able to perform analysis or 
development of existing firmware in the final target system, 
5 since the characteristics of the real system may be either 
very difficult, or even impossible, to model in any type of 
emulator or simulator. This is also difficult or impossible due 
to the permanent nature of the firmware. 

Therefore, a system and method for finding firmware 
10 errors, prototyping fixes to the errors, and/or prototyping 
new functionality of the firmware of an embedded system is 
desired. 

The notion of software breakpoints for debugging soft- 
ware is well known in the art of computer systems. 

15 Typically, the processor within the computer system 
includes a program counter register which contains the 
address of the current instruction to be fetched and executed. 
The processor further comprises debug registers. At least 
one of the debug registers contains an instruction address. 

20 When the value of the program counter equals the value of 
the instruction address debug register, a debug exception, or 
interrupt, occurs. When the processor receives the debug 
exception, the processor deviates execution of the currently 
executing program to a debug handler program, or routine. 

25 One of the debug registers is a debug control register 
containing one or more bits to enable or disable the break- 
point mechanism. 

An example of a processor employing a breakpoint 
mechanism is the INTEL i486 processor. The i486 processor 

30 comprises four Debug Address Registers (D0-D3) and a 
Debug Control Register (DR7). If the appropriate bits are 
present in the Debug Control Register, when the value of the 
program counter register equals the value in one of the 
Debug Address Registers, a debug exception (INT 1) occurs. 

35 More specifically, an instruction breakpoint fault occurs. A 
debug exception causes the processor to deviate execution 
from the current program to a debug exception handler. 

Typically, the debug exception handler invokes a debug- 
ger program which allows the user of a computer system to 

40 interact with the computer system to debug the software 
executing on the system. The debugger program allows the 
user to perform such tasks as examine memory locations and 
register contents of the computer system for the purpose of 
determining software errors, i.e., bugs. However, computer 

45 systems, unlike embedded systems whose firmware resides 
in non-alterable storage, enjoy the privilege of prototyping 
fixes to software errors and/or prototyping new software 
functionality by simply recompiling the program, loading 
the newly compiled program, and executing the program on 

50 the system. In contrast, embedded systems do not enjoy this 
luxury. 

SUMMARY OF THE INVENTION 

The present invention comprises a system and method for 
55 performing software patches for embedded system devices 
in which the firmware of the system is included in non- 
alterable storage of the device. The patch mechanism advan- 
tageously provides a means for finding firmware errors, 
prototyping fixes to the errors and/or prototyping new func- 
60 tionality of the firmware of the embedded system. The 
system comprises an embedded system device coupled to an 
external memory source. The device comprises a non- 
alterable memory, including firmware, coupled to a proces- 
sor. The device further comprises a relatively small amount 
65 of patch RAM within the device. The patches are not part of 
the system under test, but are instead loaded into the patch 
RAM. 
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The device further comprises a means for determining if 
one or more patches are to be applied. If the device detects 
patches to be applied, the device loads the patches from the 
external memory into the patch RAM via an external 
memory interface of the device. The device also comprises 5 
a means for causing the firmware to deviate from normal 
execution and to execute the patch. Preferably the deviation 
means comprises a breakpoint register. The points of devia- 
tion are referred to as breakpoints. At the end of a patch, 
program flow can either return from where normal execution 1Q 
deviated, or can continue elsewhere as specified by the patch 
developer When the value of the program counter of the 
processor equals the value in the breakpoint register, the 
deviation from firmware execution to patch instruction 
execution, i.e., a patch insertion, occurs. Preferably, the 1S 
embedded system device comprises a single integrated cir- 
cuit. 

The patch comprises a sequence of bytes included in the 
external memory. The patch comprises a portion including 
executable patch instructions. Another portion, preferably 2 n 
the first portion, of the patch contains an offset to the 
executable patch instructions. Another portion, preferably 
the second portion, of the patch contains the length of the 
patch. Another portion of the patch contains local variables 
for the patch. Another portion of the patch contains execut- 2 $ 
able startup instructions of the patch, i.e., instructions which 
are executions after loading the patch to perform once only 
operations prior to insertion of the patch. 

One embodiment of the invention comprises a breakpoint 
handler, wherein the processor deviates to the breakpoint 30 
handler when the program counter value equals the break- 
point register value. The breakpoint handler detects the 
presence of a breakpoint condition and branches to the 
patch. 

One embodiment of the invention comprises command 35 
interface logic, wherein various aspects of patch loading are 
controlled. In particular, any or all of the address of the patch 
in external memory, the address of the patch in the patch 
RAM, the patch start address, the breakpoint address, the 
loading of the breakpoint register, the patch size, and the 40 
presence of a patch may be controlled via the command 
interface. 

One embodiment of the invention contemplates a method 
for chaining together multiple patches. The invention further 
contemplates run-time loading of patches, in addition to 45 
boot -time loading of patches, for the purpose, inter alia, of 
replacing a currently executing patch. The invention con- 
templates an embodiment in which the patches are loaded 
into the patch RAM via a direct memory access transfer. In 
one embodiment the processor comprises multiple break- 50 
point registers allowing for multiple patch insertions. 

The invention contemplates storing the patch in the exter- 
nal memory in an encrypted form and decrypting the patch 
as it is loaded into the patch RAM. The encryption mecha- 
nism increases the security of the system by preventing 55 
unauthorized users from loading and inserting patches. 

Thus, the present invention comprises a system and 
method for performing software patches for embedded sys- 
tem devices in which the firmware of the system is included 
in non-alterable storage of the device in order to find 60 
firmware errors, prototype fixes to the errors and/or proto- 
type new functionality of the firmware of the embedded 
system. 

BRIEF DESCRIPTION OF THE DRAWINGS 

63 

A belter understanding of the present invention can be 
obtained when the following detailed description of the 
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preferred embodiment is considered in conjunction with the 
following drawings, in which: 

FIG. 1 is a block diagram of an embedded system 
according to the present invention; 

FIG. 2 is a block diagram illustrating deviation of normal 
firmware execution to execution of patch instructions in the 
system of FIG. 1; 

FIG. 3 is a flowchart illustrating steps taken by the system 
of FIG. 1 to perform a boot sequence including selectively 
loading a patch; 

FIG. 4, illustrates the layout of one embodiment of a 
patch; 

FIG. 5 is a flowchart illustrating detailed steps taken to 
perform the patch loading step of FIG. 3; 

FIG. 6 is a flowchart illustrating detailed steps taken to 
perform the firmware execution step of FIG, 4; 

FIG. 7 is a block diagram illustrating an embodiment of 
the present invention comprising a breakpoint handler. 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENT 

Referring now to FIG. 1, a block diagram of an embedded 
system device 10 according to the present invention is 
shown. The device comprises a processor 12. The device 
further comprises ROM 14, patch RAM 16, application 
logic 18, external memory interface logic 22, and a patch 
presence detection means 28 all coupled to the processor 12. 

The processor 12 comprises a microprocessor, micro- 
controller, digital signal processor (DSP), or other type of 
software instruction processing device. In one embodiment 
of the present invention the processor 12 is an ADI 2171 
DSP core. The processor 12 fetches firmware instructions 
from the ROM 14 and executes the firmware instructions. 
Upon certain conditions, described below, the processor 12 
deviates from fetching instructions from the ROM 14 and 
fetches firmware patch instructions from the patch RAM 16 
and executes the firmware patch instructions. 

The ROM 14 comprises read only memory storage ele- 
ments as are well known in the art of solid state memory 
circuits. The invention, however, is not limited to ROM 
technology, but rather is intended to comprehend other 
forms of non-alterable, i.e., once-programmable, solid state 
memory elements. Preferably, the ROM 14 comprises read 
only memory storage which is programmed during fabrica- 
tion of the device 10. That is, the firmware of the device 10 
is determined by the fabrication mask of the ROM 14 
portion of the device 10. Consequently, changing the firm- 
ware (such as for determining bugs, testing bug fixes, or 
testing new functionality) is very costly and time consuming 
since making a firmware change would require fabricating a 
new version of the device 10. 

The patch RAM 16 comprises dynamic random access 
memory (DRAM) or static random access memory (SRAM) 
storage elements as are well known in the art of solid state 
memory circuits. The patch RAM 16, however, is not limited 
to RAM technology, but rather is intended to comprehend 
other forms of alterable solid state memory elements. 

The application logic 18 comprises circuitry to interface 
with the application in which the device 10 is employed or 
to perform functions of the application. For example, the 
application logic 18 is a buffer, receiver, transceiver, or 
register for interfacing with other circuitry such as telephone 
signals. Another example of the application logic comprises 
circuitry for performing analog to digital conversion. 

The processor 12 comprises a program counter 24 and a 
breakpoint register 26. The program counter 24 contains the 
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current address of the instruction to be fetched by the A plurality of the instructions fetched from the boot 

processor 12. The program counter 24 is updated by the address examine the patch presence detection means 28 in 

processor 12 each time an instruction is fetched. The break- step 42. The processor 12 determines if the device is in a 

point register 26 contains a breakpoint location, or break- patch mode, i.e., that a patch is present, in step 44 based 

point address. When the value of the program counter 24 5 upon the value of the patch presence detection means 28. If 

equals the value of the breakpoint register 26 a "patch a patch is present, the processor 12 loads the patch in step 

insertion" occurs, i.e., the processor 12 deviates execution 46. The processor 12 then proceeds to execute the firmware 

from fetching and executing firmware instructions in the in step 48. More details about how the patch is loaded and 

ROM 14 to fetching and executing firmware patch instruc- the firmware is executed will be given below, 

tions in the patch RAM 16 as shown in FIG. 2. 10 Referring now to FIG. 4, the layout of one embodiment of 

FIG. 2 illustrates the normal program flow of execution of a patch 50 is shown. A patch comprises a sequential set of 

firmware instructions included within the ROM 14 of the data bytes in memory. The patch 50 is loaded from the 

device 10. The firmware instructions are shown included in external memory 23 (of FIG. 1) into the patch RAM 16 (of 

sequential address locations within the ROM 14. When the FIG. 1) at an internal patch address, i.e., the address in the 

program counter 24 (of FIG. 1) value equals the breakpoint 15 patch RAM 16 where the patch 50 is loaded. The first 

register 26 value, a patch insertion occurs, i.e., the processor portion of the patch 50, i.e., the data at the internal patch 

12 (of FIG. 1) deviates from normal program flow to the address, comprises a patch offset 51 from the internal patch 

patch start address to execute the patch execution instruc- address to the patch execution instructions. The sum of the 

tions included in the patch RAM 16 as shown. internal patch address and the patch offset 51 determines the 

Referring again to FIG. 1, the external memory interface 20 P atch slart address, i.e., the address of the patch execution 

logic 22 comprises digital circuitry coupled to an external instructions, as shown. 

memory 23 for loading patches from the external memory The next portion of the patch 50 includes the patch size 

23 to the patch RAM 16. The external memory 23 is an 52. Preferably, the patch size 52 is the number of double 

EPROM, FLASH ROM, RAM, or any other suitable exter- words (i.e., 32-bit words) comprising the patch 50. 

nal storage device. 25 The next portion of the patch 50 includes the breakpoint 

The invention contemplates an embodiment in which the address 54 of the patch 50, i.e., the address to be loaded into 

device 10 comprises command interface logic 20 coupled to the breakpoint register 26 (of FIG. 1). The loading of the 

the processor 12. The command interface logic 20 comprises breakpoint address 54 into the breakpoint register 26 will be 

circuitry for receiving commands and providing status to an 3Q described in the discussion of FIG. 5. 

external device which communicates with the device 10 via The next portion of the patch 50 includes a set of patch 

a command interface. The invention contemplates an startup instructions 56. The patch startup instructions 56 

embodiment in which the command interface logic 20 initialize patch local variables 58 and perform any other 

comprises a serial interface such as an RS-232 interface. A actions which are required on a once only basis. The 

second embodiment contemplates the command interface 35 execution of the patch startup instructions 56 will be 

logic 20 comprising a parallel interface such as those described in the discussion of FIG. 5. 

commonly found on personal computers, commonly for The next portion of the patch 50 includes the patch 

communicating with printers. The command interface logic execution instructions 57, the location of which is specified 

20 is used, inter alia, to load patches into the patch RAM 16 by the patch onset 51. The patch execution instructions 57 

and/or control the loading of patches to the patch RAM 16 4Q comprise instructions executable by the processor 12 (of 

through another interface such as the external memory FIG. 1) to perform the desired functionality of the patch, 

interface logic 22. such as finding firmware errors, prototyping fixes to firm- 

The patch presence detection means 28 is readable by the ware errors and/or prototyping new functionality of the 

processor 12 and is used to indicate to the processor 12 firmware. When the value of the program counter 24 equals 

whether or not a patch is present. Preferably the patch 45 the value of the breakpoint register 26, a patch insertion 

presence detection means 28 is a mode register comprising occurs, i.e., the processor 12 deviates from fetching and 

a bit to indicate the presence of a patch. Data is forced by an executing instructions in the ROM 14 and begins fetching 

external device (not shown) onto output pins of the device and executing the patch execution instructions 57 from the 

10 during reset of the device 10 to write the mode register patch RAM 16. 

with a value to selectively indicate the presence or absence 50 The next portion of the patch 50 includes the patch local 

of a patch. Alternatively, the patch presence detection means variables 58. The patch local variables 58 are variables used 

28 is a test mode input pin of the device 10 which is driven by the patch execution instructions to perform the desired 

by an external device. Alternatively, the patch presence patch functions. 

detection means 28 is a mode register included within the Referring now to FIG. 5, a flowchart illustrating in more 

command interface logic 20 and is written with a value to 55 detail steps taken to perform the patch loading step 46 of 

selectively indicate the presence or absence of a patch. FIG. 3 is shown. The processor 12 determines the internal 

Referring now to FIG. 3, a flowchart illustrating steps patch address, i.e., the address in the patch RAM 16 at which 

taken by the device 10 (of FIG. 1) to perform a boot the patch is to be loaded, in step 60. Preferably, the internal 

sequence including selectively loading a patch is shown. patch address is address fixed at address zero in the patch 

When the processor 12 (of FIG. 1) is reset, it initializes its 60 RAM 16. Alternatively, the internal patch address is speci- 

program counter 24 to a predetermined value in step 40 and fied by an external device in a register within the device 10. 

begins fetching and executing instructions at the address Alternatively, the internal patch address is specified in the 

contained in the program counter 24. The initial address, i.e., command interface logic 20 via the command interface, 

boot address, contained in the program counter 24 is an The processor 12 determines the external patch address, 

address in the ROM 14, Preferably, the boot address is near 65 i.e., the address in the external memory 23 at which the patch 

the top or bottom of the processor 12 address space. In one is stored, in step 62. Preferably, the external patch address is 

embodiment the boot address is address zero. fixed at an address within the external memory 23 which is 



06/03/2004, EAST Version: 1.4.1 



5,901 

7 

a number of bytes from the end of the external memory 23 
which is equal to the size of the patch RAM 16. For example, 
if the external memory 23 is a 64K13 EPROM, and the patch 
RAM 16 is 512 bytes of RAM, the external patch address 
would be at address 65024 (i.e., 65536-512). Alternatively, 5 
the external patch address is specified by an external device 
in a register within the device 10. Alternatively, the external 
patch address is specified in the command interface logic 20 
via the command interface. 

The processor determines the patch size, i.e., the number 10 
of bytes of the patch, in step 64. Preferably the patch 
includes the number of 32-bit words comprising the patch, 
as shown in FIG. 4. In one embodiment, the patch size is 
included in the fourth byte of the patch. Alternatively, the 
patch size is specified by an external device in a register 15 
within the device 10. Alternatively, the patch size is specified 
in the command interface logic 20 via the command inter- 
face. Alternatively, the patch size is fixed at a predetermined 
length. Alternatively, the processor 12 assumes the patch 
size is equal to the size of the patch RAM 16. 20 

Once the processor 12 has determined the external patch 
address, the internal patch address, and the patch size, the 
processor 12 copies patch size words of data from the 
external patch address of the external memory 23 to the 
internal patch address of the patch RAM 16 in step 66. As 25 
previously stated, in one embodiment, the patch size is 
specified near the beginning of the patch itself. Hence, the 
processor 12 copies enough of the patch to determine the 
size of the patch and then copies the remaining bytes of the 
patch after determining the size. 30 

In one embodiment, a set of patch startup instructions 56 
exists in the patch, as shown in FIG. 4. After copying the 
patch to the patch RAM 16, the processor 12 executes the 
patch startup instructions 56 in step 68. The patch startup 35 
instructions 56 initialize the patch local variables and per- 
form any other actions which are required on a once only 
basis. 

The processor 12 then loads the breakpoint register 26 
with the breakpoint address, i.e., the address at which the 40 
processor 12 deviates execution from the firmware instruc- 
tions included in the ROM 14 to the patch execution 
instructions included in the patch RAM 16 in step 70. 
Preferably the breakpoint address 54 is included in the patch 
as shown in FIG. 4. Alternatively, the breakpoint address is 45 
specified by an external device in a register within the device 
10. Alternatively, the breakpoint address is specified in the 
command interface logic 20 via the command interface. The 
processor 12 then returns to the boot code to begin executing 
the firmware. 50 

Referring now to FIG. 6, a flowchart illustrating in more 
detail steps taken to perform the firmware execution step 48 
of FIG. 3 is shown. The processor 12 fetches an instruction 
at the value of the program counter 24 in step 80. The 
processor 12 next increments the program counter 24 by the 55 
size of the instruction fetched in step 82. In one embodiment, 
the processor 12 instruction size is fixed, hence the program 
counter 24 is incremented by a fixed amount after each 
instruction fetch. In another embodiment, the processor 12 
instruction size is variable. The processor 12 executes the 6 o 
instruction fetched, in step 84. 

The processor 12 determines if the program counter 24 
value is equal to the breakpoint register 26 value in step 86. 
If the values are not equal, the processor 12 determines if the 
instruction executed in step 84 is a branch instruction in step 65 
88. If the instruction is a branch instruction, the processor 12 
updates the program counter 24 to the address specified by 
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the branch instruction in step 90. If the instruction is not a 
branch instruction, the processor 12 returns to step 80 to 
fetch another instruction at the program counter 24. 

If in step 86 the processor 12 determines that the values 
of the program counter 24 and the breakpoint register 26 are 
equal, the processor 12 branches to the patch start address, 
i.e., the address of the patch execution instructions, in step 
92, as illustrated in FIG. 2. Branching to the patch start 
address comprises updating the program counter 24 to have 
a value equal to the patch start address. The processor 12 
then returns to step 80 to begin fetching instructions at the 
updated program counter 24, i.e., the patch start address. 

Referring now to FIG. 7, a block diagram illustrating an 
embodiment of the present invention comprising a break- 
point handler is shown. Preferably, branching to the patch 
start address, i.e., step 92 (of FIG. 6), comprises the pro- 
cessor deviating to a breakpoint handler, wherein the break- 
point handler executes a branch instruction to the patch start 
address. The breakpoint handler resides in the ROM 14 as 
part of the firmware. The breakpoint handler entry point 
resides at a fixed location in the processor 12 address space, 
i.e., in a fixed location in the ROM 14. 

When a breakpoint condition occurs, i.e., when the value 
of the breakpoint register 26 equals the value of the program 
counter 24, the processor 12 deviates from normal 
execution, i.e., execution of the current instruction, and 
begins fetching and executing instructions from the break- 
point handler entry point, as shown. The breakpoint handler 
calculates the patch start address by adding the internal 
patch address to the patch offset 51 (of FIG. 4). The 
breakpoint handler then executes a branch instruction to the 
patch start address and the processor 12 begins fetching and 
executing the patch execution instructions 57 (of FIG. 4). 

In one embodiment, the processor 12 comprises a non- 
maskable interrupt (NMI). An NMI occurs under at least two 
conditions. The first condition is when an NMI input signal 
to the processor 12 becomes active. The second condition is 
a breakpoint condition, i.e., when the value of the breakpoint 
register 26 equals the value of the program counter 24. The 
processor 12 receives an NMI whenever either of the two 
NMI conditions occurs. When an NMI condition occurs, the 
processor 12 branches to an NMI vector, i.e., a fixed address 
in the address space of the processor 12. Preferably, the NMI 
vector address is the address of the breakpoint handler entry 
point described supra. 

The breakpoint handler determines which of the two NMI 
conditions generated the NMI. In one embodiment, the NMI 
input signal indicates a power down condition. In this 
embodiment, the device 10 comprises a means for deter- 
mining if a power down condition is present. The breakpoint 
handler determines if the power down condition is present, 
by reading the power down condition determining means. If 
a power down condition is not present, the breakpoint 
handler assumes that a breakpoint condition has occurred 
and correspondingly branches to the patch start address as 
described supra. 

Alternatively, the step 92 (of FIG. 6) of branching to the 
patch start address comprises the processor 12 (of FIG. 1) 
directly loading the program counter 24 with the value of the 
patch start address. In one embodiment, the processor 12 
directly loads the program counter 24 from a patch start 
address register. In this embodiment, the processor 12, 
during the boot sequence, calculates the patch start address 
by adding the internal patch address to the patch offset 51 
and populating the patch start address register. 

In another embodiment, the processor 12 directly loads 
the program counter 24 by calculating the patch start address 
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and loading it into the program counter 24. In this be combined with the embodiment comprising a plurality of 

embodiment, the processor 12 calculates the patch start breakpoint registers. 

address by adding the internal patch address to the patch The present invention contemplates an embodiment in 
offset 51. which patches are "run-time loaded" in addition to limit- 
Alternatively, the step 92 (of FIG. 6) of branching to the 5 time loaded. That is, patches are loaded during real time 
patch start address comprises a branch instruction to the operation of the device 10, i.e., during firmware execution 
patch start address being forced into the instruction stream. (step 48 of FIG. 3) in addition to during the boot sequence. 
The processor 12 comprises a data bus upon which instruc- Run-time patch loading provides a mechanism for replacing 
tions are fetched from the ROM 14 and patch RAM 16. patches which are currently executing. The present inven- 
Forcing the branch instruction into the instruction stream 10 tion contemplates employing run-time patch loading to 
comprises forcing onto the data bus of the processor 12 the accomplish patch chaining as described supra, 
branch instruction to the patch start address whenever the The present invention contemplates an embodiment in 
processor 12 fetches an instruction from a "known address". which patches are loaded by a DMA operation from the 
Preferably the "known address" is the address to which the external memory 23 into the patch RAM 16. This embodi- 
processor deviates upon the occurrence of a breakpoint 15 ment allows real-time execution of the system to continue 
condition. Thus, the actual data at the "known address" in while the patch is being loaded. In this embodiment, the 
ROM 14 or patch RAM 16 is discarded in favor of the breakpoint register 26 and patch start address are loaded via 
surrogate branch instruction to the patch start address. The the command interface. 

processor 12 executing the branch instruction to the patch In many embedded systems it is desirable to protect the 

start address causes the program counter 24 to get updated 20 device 10 from being scrutinized by the end user of the 

with the patch start address and the patch execution instruc- device 10. It is desirable that an unauthorized person not be 

tions 57 to be fetched and executed, able to load a patch. It is further desirable that an unautho- 

In one embodiment, the processor 12 fetches and executes rized person not be able to extract the firmware from the 

instructions in a pipelined manner, as is well known in the device. The existence of a mechanism for loading software 

art of processor design. In this embodiment, the processor 12 25 patches creates a security breach. The present invention 

may execute one or more instructions beyond the instruction contemplates an encryption mechanism for increasing the 

at which the breakpoint is to occur. In such case, the patch security of the embedded system comprising the device 10. 

programmer must be aware of the pipelined characteristics Preferably the patch is encrypted prior to storage in the 

of the processor 12 and create a patch which takes these external memory and decrypted as the patch is loaded into 

characteristics into consideration. 30 the device 10 in order to recover the original bit sequence of 

Alternate Embodiments the patch, i.e., a bit sequence of instructions executable by 

The present invention contemplates an embodiment in the processor 12. 

which the patch start address is specified in the command In one embodiment, a "one time pad" encryption mecha- 

interface logic 20 via the command interface, rather than in nism is employed. A one time pad is a string of random 

the patch itself. Another embodiment is contemplated in 35 numbers used to encrypt a message, in particular, a bit 

which the internal patch address is specified by an external sequence of software program instructions. Each string of 

device in a register within the device 10. Alternatively, the random numbers is used only once to encrypt the software, 

patch start address is fixed, i.e., hard-coded into the proces- i.e., the patch. In one embodiment, the random numbers are 

sor 12. obtained by sampling ionospheric scatter. 

The present invention contemplates an embodiment in 40 In one embodiment of the one time pad encryption 

which the processor 12 comprises a plurality of breakpoint mechanism, the patch is encrypted by multiplying the patch 

registers. Each breakpoint register may be loaded with a by a polynomial, or encryption key, in the Galois Field (2), 

different value, thus providing the ability to insert a plurality i.e., GF(2), The patch is decrypted by dividing the patch by 

of patches, i.e., each breakpoint register has an associated the same polynomial as it is being loaded into the device 10. 

patch start address. If the program counter 24 value equals 45 Galois Fields are well known in the art of coding. The reader 

any of the values in the plurality of breakpoint registers, a is referred to Introduction to Trellis-Coded Modulation with 

patch insertion of the patch corresponding to the breakpoint Applications, Biglieri, et. al., Macmillan Publishing 

register whose value equals the value of the program counter Company, 1991, which is hereby incorporated by reference, 

24 occurs. The plurality of patch start addresses associated for a more detailed description of Galois Fields, 

with each of the breakpoint registers are specified by any of 50 If an encrypted patch is loaded with an invalid encryption 

the means described supra, i.e., within the patch itself, via polynomial, the patch, once decrypted, will be a bit sequence 

the command interface logic 20, by a plurality of registers which will have an extremely high probability of not being 

within the device 10, or at a fixed address associated with valid processor instructions. Preferably, when the processor 

each breakpoint register. executes invalid instructions with unexpected results. Thus, 

The present invention further contemplates an embodi- 55 an unauthorized user is prevented from executing a patch 

ment in which the patch execution instructions alter the which might allow a means for extracting the firmware of 

contents of the breakpoint register and patch start address, the embedded system device or from executing a patch to 

thereby providing a means to achieve "patch chaining." To perform an unauthorized function. 

illustrate by way of example, a first patch, patch A, executes Preferably the processor 12 performs the decryption. The 

and during execution alters the patch start address with a 60 present invention also contemplates the device 10 compris- 

new value corresponding to a patch B and loads the break- ing dedicated logic to perform the decryption. The present 

point register with a new value corresponding to a patch B, invention is not intended to be limited to GF polynomial 

thus enabling patch B and disabling itself, i.e., disabling encryption techniques, but rather is intended to encompass 

patch A. Thus, patch B has been "chained" to patch A. any suitable encryption technique. 

Patch B then performs the reverse action, i.e., enable 65 Although the system and method of the present invention 

patch A and disable patch B. The number of patches which has been described in connection with the preferred 

may be chained is unrestricted. Further, patch chaining may embodiment, it is not intended to be limited to the specific 
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form set forth herein, but on the contrary, it is intended to 11. The device as recited in claim 1, wherein said device 

cover such alternatives, modifications, and equivalents, as comprises a plurality of breakpoint registers each containing 

can be reasonably included within the spirit and scope of the a value, wherein said alterable memory is configured to store 

invention as defined by the appended claims. a plurality of patches each comprising patch instructions, 

We claim: 5 wherein said plurality of patches correspond to said plurality 

1. A embedded system device configured to receive a of breakpoint registers, wherein said processor is configured 
software patch, comprising: to deviate from executing said instructions included in said 

a processor including a breakpoint register and a program non-alterable memory to execute said patch instructions of 

counter, each adapted for storing a value; one of said plurality of patches stored in said alterable 

a non-alterable memory coupled to said processor, 10 memory when said program counter value equals a corre- 

wherein said non-alterable memory includes instruc- sponding one of said breakpoint register values, 

tions executable by said processor; and 12 The device as recited in claim 1, wherein said device 

an alterable memory coupled to said processor configured further comprises: 

to store a patch, wherein said patch comprises patch meaDS for receiving a direct memory access transfer of 

instructions executable by said processor; P atcb mto said alterable memory. 

. • • , • c jij-*^ 13. The device as recited in claim 1, wherein said pro- 

wherein said processor is configured to deviate from . ^ " , ' / , , v , 

r . # . • i j j • -j cessor comprises an interrupt signal generated when said 

executing said instructions included in said non- r . . J .fi r ■ . ■ . i 

u .1 . 4 . . • . program counter value equals said breakpoint register value, 

alterable memory to execute said patch instructions . • • j j • • - • • 

• • j v. i_i L -j wherein said deviation occurs in response to said interrupt 

stored in said alterable memory when said program . r r 

counter value equals said breakpoint register value, 7n n V., , . . , . , ., , 

, • j . • « . J~ . i j j 14. lne device as recited in claim 1. wherein said device 

wherein said patch is encrypted prior to being loaded t . 

. , w r , , j i . . 5 • further comprises: 
into said alterable memory, and wherein said device is 

configured lo decrypt said patch when loading said command interface logic operably coupled to said pro- 
patch into said alterable memory. 1X5501 10 °° ntro1 loadm e sald P atch 10,0 sald alt6rable 

2. The device as recited in claim 1, wherein said device 95 * m !! mor ^' . 

comprises a single integrated circuit. u 1S ' ^ device 35 recited in claim 14, wherein said 

3. The device as recited in claim 1, wherein said device is breakpoint register value is loaded mto said breakpoint 
configured to load said patch into said alterable memory command interface logic. 

from a memory external to said device. 16 u embedded system configured to receive a software 

4. The device as recited in claim 1, wherein said device 30 P atcn ' censing: 

further comprises: an embedded system device comprising: 

patch presence detection means for indicating a presence a processor including a breakpoint register and a program 

of a patch in an external memory; counter, each containing a value; 

wherein said device is coupled to said patch presence a non-alterable memory coupled to said processor, 

detection means and is configured to load said patch 35 wherein said nonalterable memory includes mstruc- 

into said alterable memory if said patch presence tlODS executable by said processor; and 

detection means indicates the presence of said patch. aD alterable memory coupled to said processor configured 

5. The device as recited in claim 1, wherein said patch t0 store a patch, wherein said patch comprises patch 
further comprises a patch offset indicating the location of instructions executable by said processor; and 

said patch iastructions. 40 an external memory operably coupled to said device 

6. The device as recited in claim 1, wherein said patch including said patch; 

further comprises a patch size indicating the size of said wherein said processor is configured to load said patch 

patch. from said external memory to said alterable memory 

7. The device as recited in claim 1, wherein said patch and to execute said patch, wherein said patch is 
further comprises a breakpoint address for loading into said 45 encrypted prior to being loaded into said alterable 
breakpoint register, wherein said processor deviates from memory, and wherein said device is configured to 
executing said instructions included in said non- alterable decrypt said patch when loading said patch into said 
memory to execute said patch instructions stored in said alterable memory. 

alterable memory when said program counter value equals 17. The system as recited in claim 16, wherein said patch 

said breakpoint register value loaded into said breakpoint so further comprises a patch offset indicating the location of 

register. said patch instructions. 

8. The device as recited in claim 1, wherein said patch 18. The system as recited in claim 16, wherein said patch 
further comprises variables used in operation of said patch further comprises a patch size indicating the size of said 
instructions. patch. 

9. The device as recited in claim 1, wherein said patch 55 19. The system as recited in claim 16, wherein said patcb 
further comprises startup instructions, wherein said proces- further comprises a breakpoint address for loading into said 
sor is configured to execute a plurality of said startup breakpoint register, wherein said processor deviates from 
instructions after loading said patch and prior to executing executing said instructions included in said non-alterable 
said patch instructions. memory to execute said patch instructions stored in said 

10. The device as recited in claim 1, wherein said non- 60 alterable memory when said program counter value equals 
alterable memory includes breakpoint handler instructions, said breakpoint register value loaded into said breakpoint 
wherein said processor is configured to deviate from execut- register. 

ing said instructions included in said non-alterable memory 20. The system as recited in claim 16, wherein said patch 

to execute said breakpoint handler instructions when said further comprises variables used in operation of said patch 

program counter value equals said breakpoint register value, 65 instructions. 

wherein said breakpoint handler instructions branch to said 21. The system as recited in claim 16, wherein said patch 

patch instructions. further comprises startup instructions, wherein said proces- 
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sor is configured to execute a plurality of said startup 
instructions after loading said patch and prior to executing 
said patch instructions. 

22. A method for executing a patch in an embedded 
system device comprising a processor including a break- 
point register and a program counter, each containing a 
value, a non-alterable memory coupled to said processor, 
wherein said non-alterable memory includes instructions 
executable by said processor, and an alterable memory 
coupled to said processor configured to store a patch, 
wherein a portion of said patch comprises patch instructions 
executable by said processor, the method comprising: 

initializing said program counter to a value; 
loading said breakpoint register with a breakpoint 
address; 

determining a presence of said patch after said initializing 
said program counter value and before said loading said 
breakpoint register; 

loading said patch into said alterable memory before said 
loading said breakpoint register if said patch is present; 

encrypting said patch prior to said initializing said pro- 
gram counter to a value; 

decrypting said encrypted patch during said loading said 
patch; 

fetching an instruction from said non-alterable memory at 
an address equal to said program counter value; 

incrementing said program counter in response to said 
fetching; 

executing said instruction; 

performing said fetching, said incrementing and said 

executing until said program counter value equals said 

breakpoint register value; 
deviating from said fetching, said incrementing and said 

executing when said program counter value equals said 

breakpoint address; 
executing a plurality of patch instructions of a patch 

included in said alterable memory in response to said 

deviating. 

23. The method as recited in claims 22, wherein said 
loading said patch comprises copying said patch from an 
external memory coupled to said device into said alterable 
memory. 

24. The device as recited in claim 23, wherein said 
copying comprises said processor performing said copying, 

25. The device as recited in claim 23, wherein said 
copying comprises a direct memory access transfer. 

26. The method as recited in claim 22, wherein said patch 
comprises startup instructions, wherein the method further 
comprises executing said startup instructions prior to said 
loading said breakpoint register. 

27. The method as recited in claim 22, wherein said patch 
comprises said breakpoint address, wherein said loading 
said breakpoint register with said breakpoint address com- 
prises loading said breakpoint address from said patch into 
said breakpoint register. 

28. The method as recited in claim 22, wherein said 
non-alterable memory further includes breakpoint handler 
instructions, the method further comprising: 

executing said breakpoint handler instructions after said 
deviating; 

said breakpoint handler instructions branching to said 
patch instructions. 

29. The method as recited in claim 22, wherein said 
deviating comprises loading said program counter with the 
address of said patch instructions. 
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30. The method as recited in claim 22, wherein said 
deviating comprises forcing a branch instruction to said 
patch instructions when performing said fetching an instruc- 
tion from said non-alterable memory when said fetching 
address is a predetermined address. 

31. The method as recited in claim 22, wherein a single 
integrated circuit comprises said device. 

32. A method for executing a series of patches in an 
embedded system device comprising a processor including 
a breakpoint register and a program counter, each containing 
a value, a non-alterable memory coupled to said processor, 
wherein said non-alterable memory includes firmware 
instructions executable by said processor, and an alterable 
memory coupled to said processor configured to store said 
series of patches, wherein a portion of each of said series of 
patches comprises patch instructions executable by said 
processor, the method comprising: 

executing said firmware instructions; 
loading a first of said series of patches into said alterable 
memory; 

loading said breakpoint register with a first breakpoint 
address after said loading said first of said series of 
patches; 

deviating from said executing said firmware instruction 

when said program counter value equals said first 

breakpoint address; 
executing said first of said series of patches in response to 

said deviating from said executing said firmware 

instructions; 

loading a second of said series of patches into said 

alterable memory; 
loading said breakpoint register with a second breakpoint 

address after said loading said second of said series of 

patches; 

deviating from said executing said first of said series of 

patches when said program counter value equals said 

second breakpoint address; 
executing said second of said series of patches in response 

to said deviating from said executing said first of said 

series of patches. 

33. A method for executing a series of patches in an 
embedded system device comprising a processor including 
a breakpoint register and a program counter, each containing 
a value, a non -alterable memory coupled to said processor, 
wherein said non-alterable memory includes firmware 
instructions executable by said processor, and an alterable 
memory coupled to said processor configured to store said 
series of patches, wherein a portion of each of said series of 
patches comprises patch instructions executable by said 
processor, the method comprising: 

loading a first of said series of patches into said alterable 
memory; 

loading a second of said series of patches into said 

alterable memory; 
loading said breakpoint register with a first breakpoint 

address after said loading said first and second of said 

series of patches; 
executing said firmware instructions; 
deviating from said executing said firmware instruction 

when said program counter value equals said first 

breakpoint address; 
executing said first of said series of patches in response to 

said deviating from said executing said firmware 

instructions; 
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loading said breakpoint register with a second breakpoint 
address after said loading said second of said series of 
patches; 

deviating from said executing said first of said series of 
patches when said program counter value equals said 
second bre akpoint address; 
executing said second of said series of patches in response 
to said deviating from said executing said first of said 
series of patches. 
34. A method for replacing a patch in an embedded system 
device comprising a processor including a breakpoint reg- 
ister and a program counter, each containing a value, a 
non-alterable memory coupled to said processor, wherein 
said non-alterable memory includes firmware instructions 
executable by said processor, and an alterable memory 
coupled to said processor configured to store said series of 
patches, wherein a portion of each of said series of patches 
comprises patch instructions executable by said processor, 
the method comprising: 

loading a first patch into said alterable memory; 
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loading said breakpoint register with a first breakpoint 

address after said loading said first patch; 
executing said firmware instructions; 
deviating from said executing said firmware instruction 

when said program counter value equals said first 

breakpoint address; 
executing said first patch in response to said deviating 

from said executing said firmware instructions; 
loading a second patch into said alterable memory; 
loading said breakpoint register with a second breakpoint 

address after said loading said second patch; 
deviating from said executing said first patch when said 

program counter value equals said second breakpoint 

address; 

executing said second patch in response to said deviating 
from said executing said first patch. 
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